Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Discloses 4 Zero-Days in September Update

This month’s Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

DARKReading
#vulnerability#web#mac#windows#microsoft#git#rce#auth#zero_day

Source: CHIEW via Shutterstock

Attackers are already actively exploiting four of the 79 vulnerabilities for which Microsoft issued a patch this week as part of its monthly security update.

Two of the zero-day bugs give attackers a way to bypass critical security protections in Windows and therefore should be at the top of any organization’s priority list for remediation.

One of the remaining zero-days is an elevation of privilege flaw that enables access to system-level privileges; the other is a bug that rolled back, or reintroduced, vulnerabilities in certain versions of Windows 10 for which Microsoft had previously issued patches.

In total, Microsoft’s September update contained seven critical remote code execution (RCE) and elevation of privilege vulnerabilities. The company assessed 19 of the CVEs in its latest updates as vulnerabilities that attackers are more likely to exploit because they enable remote code execution, involve attacks that are low in complexity, require no user interaction, and exist in widely deployed products, as well as other factors.

Security Bypass Zero-Days

One of the security bypass vulnerabilities, tracked as CVE-2024-38226, affects Microsoft Publisher. It allows an attacker with authenticated access to a system to bypass Microsoft Office macros for blocking untrusted and malicious files. “An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer,” Microsoft said. The company gave the vulnerability a moderate CVSS severity score of 6.8 of 10, presumably because an attacker would need to convince a user to open a malicious file in order for any exploit to work.

The other security bypass zero-day bug in Microsoft’s September update is CVE-2024-38217, in the Windows Mark of the Web (MoTW) feature that is designed to protect users against potentially harmful files and content downloaded from the Web. The vulnerability allows an attacker to sneak malicious files past MoTW defenses and cause what Microsoft described as “limited loss” of integrity and availability of application reputation checks and other security features. Microsoft assigned CVE-2024-38217 a severity rating of 5 because to exploit it an attacker would need to convince potential victims to visit an attacker-controlled site and then download a malicious file from there.

“Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running,” Satnam Narang, senior staff research engineer at Tenable, said in a statement. “In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226,” he said.

RCE and Privilege Escalation Zero-Days

The two other bugs in Microsoft’s latest update that attackers are already actively exploiting are CVE-2024-38014 and CVE-2024-43491. CVE-2024-38014 is an elevation of privilege vulnerability in Windows Installer that attackers can use to gain system-level privileges. As with the other zero-days, Microsoft’s advisory offered no details on the exploit activity targeting the bug or when it might have started. Despite the ongoing attacks targeting CVE-2024-38014, Microsoft assessed the flaw as only moderately severe (7.8 on 10 on the CVSS scale) because an attacker would already need to have compromised an affected system to exploit the vulnerability.

CVE-2024-43491, meanwhile, is a high-severity (CVSS score 8.5) RCE in Microsoft Windows Update. The vulnerability rolls back fixes that Microsoft issued in March for certain versions of Windows 10. According to Microsoft, the vulnerability gives attackers a way to exploit vulnerabilities that Microsoft previously mitigated in Windows 10, version 1507, between March and August. “Customers need to install both the servicing stack update (KB5043936) AND security update (KB5043083), released on September 10, 2024, to be fully protected from the vulnerabilities that this CVE rolled back,” Microsoft said.

Kev Breen, senior director of threat research at Immersive Lab, advocated that administrators pay close attention to Microsoft’s Official Notes for CVE-2024-43491. “There are a lot of caveats to this one,” Breen said in emailed comments. “The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state,” since March.

This is the second month in a row where Microsoft has given administrators multiple zero-days to contend with. In August, the company disclosed six of them — equal to the total for the entire year up to that point.

Other High-Priority Bugs

Other bugs of note in the latest update according to security researchers include CVE-2024-43461, a Windows spoofing vulnerability; CVE-2024-38018, a Microsoft SharePoint Server RCE; and CVE-2024-38241 and CVE-2024-38242, two elevation-of-privilege vulnerabilities in Kernel Streaming Service Driver.

CVE-2024-43461 affects all supported versions of Microsoft Windows. It is similar to CVE-2024-38112, a zero-day bug that Microsoft patched in July after at least two threat groups had been exploiting it for 18 months. Attackers could leverage the exploits for CVE-2024-38112 in attacks against the new CVE-2024-43416, according to Saeed Abbasi, manager of vulnerability research at Qualys. “There exists a high likelihood of exploitation, as this vulnerability enables attackers to spoof legitimate web content, leading to unauthorized actions such as phishing and data theft,” Abbasi said in emailed comments.

Organizations need to prioritize patching the Microsoft SharePoint Server RCE vulnerability (CVE-2024-38018) because no mitigations or workarounds are available for it, said Tom Bowyer, director IT security of Automox, in emailed comments. “The potential impact of this CVE is significant, especially given the business-critical nature SharePoint servers play in organizations that utilize them,” and the ease of exploitation.

Ben McCarthy, lead cybersecurity engineer at Immersive Labs, identified the Kernel Streaming Service Driver flaws (CVE-2024-38241 and CE-2024-38242) as important to address because they are present at the kernel level and give attackers a way to bypass security controls, escalate privileges, execute arbitrary code, and take over the whole system.

So far this year, Microsoft has disclosed a total of 745 vulnerabilities across its products, according to numbers maintained by Automox. Microsoft has identified just 33 of them as critical.

Don’t miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail – just for doing their pen-testing jobs. Listen now!

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.

Related news

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from […]

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices […]

Palo Alto Networks GlobalProtect Local Privilege Escalation

Palo Alto Networks GlobalProtect versions 5.1.x, 5.2.x, 6.0.x, 6.1.x, 6.3.x and versions less than 6.2.5 suffer from a local privilege escalation vulnerability.

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based

5 Zero-Days in Microsoft's October Update to Patch Immediately

Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.

Nitro PDF Pro Local Privilege Escalation

The Nitro PDF Pro application uses a .msi installer file (embedded into an executable .exe installer file) for installation. The MSI installer uses custom actions in repair mode in an unsafe way. Attackers with low-privileged system access to a Windows system where Nitro PDF Pro is installed, can exploit the cached MSI installer's custom actions to effectively escalate privileges and get a command prompt running in context of NT AUTHORITY\SYSTEM. Versions prior to 14.26.1.0 and 13.70.8.82 and affected.

'Void Banshee' Exploits Second Microsoft Zero-Day

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Bug Left Some Windows PCs Dangerously Unpatched

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score

September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical.

Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score

September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical.

Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score

September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical.

Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score

September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical.

Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score

September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical.

Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.

It's best to just assume you’ve been involved in a data breach somehow

Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.

Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks

The threat group used CVE-2024-38112 and a "zombie" version of IE to spread Atlantida Stealer through purported PDF versions of reference books.

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack

Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited

Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild. Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser

Microsoft Patch Tuesday, July 2024 Edition

Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

DARKReading: Latest News

Apple Urgently Patches Actively Exploited Zero-Days